payload
Intelligence Profile
Payload is a ransomware group that emerged in early 2026, using Babuk-derived source code targeting both Windows and ESXi systems with cross-platform double-extortion attacks against healthcare, energy, real estate, and agriculture sectors, claiming 12 victims across seven countries within hours of launching its leak site.
Threat Analysis
payload is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of financial.
Financially motivated threat actors like payload prioritize monetary gain through methods such as ransomware deployment, banking trojans, cryptocurrency theft, BEC scams, or credential harvesting for resale on underground markets.
Ransomware Victims (68)
CTIWATCH tracks 68 organizations claimed as victims by payload on its data leak site, with attack dates, sectors and countries.
View full victims list →Known Campaigns
Payload is conducting an active ransomware campaign targeting organizations across 8 countries. Primary targets: Energy, Financial Services, Manufacturing. 9 confirmed victims recorded in the last 45 days. Campaign status: ACTIVE (last activity 8 Apr 2026).